Ransomware gangs abuse Process Explorer driver to kill security software

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and capable of running with kernel privileges on the victims' devices to disable security solutions and take over the system.

This technique is popular among various threat actors, from state-backed hacking groups to financially-motivated ransomware gangs.

The AuKill malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft's Process Explorer v16.32. This is a very popular and legitimate utility that helps collect information on active Windows processes.

To escalate privileges, it first checks if it's already running with SYSTEM privileges, and if not, it impersonates the TrustedInstaller Windows Modules Installer service to escalate to SYSTEM.

To disable security software, AuKill starts several threads to continuously probe and disable security processes and services (and ensure they remain disabled by preventing them from restarting).

So far, multiple AuKill versions have been observed in the wild, some deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.

"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," Sophos X-Ops said.

"In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."

Ransomware gangs abuse Process Explorer driver to kill security software

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

www.bleepingcomputer.com

 

[TairikuOkami]

MS should mark PE as PUA, because this is the same reason, they damned Process Hacker.

 

[lain]

Blacklisting the PH driver was such a lame move from M$.
That ProcExp driver exploit has been around for a while, wonder why it's just now finding use?

 

[Andy Ful]

MS should mark PE as PUA, because this is the same reason, they damned Process Hacker.

I think that they should. The AuKill tool abuses an outdated version of the driver used by version 16.32.

Here is an interesting article about using drivers in attacks: https://arxiv.org/ftp/arxiv/papers/2210/2210.02821.pdf

The attack uses another method (different from AuKill).

One can prevent most attacks (related to drivers) by blocking vulnerable drivers via WDAC. The current blocklist recommended by Microsoft blocks Process Explorer drivers (MaximumFileVersion="16.65535.65535.65535).

Microsoft recommended driver block rules - Windows Security

View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.

learn.microsoft.com

There are also other possibilities (probably troublesome in enterprises) like using open-source hypervisors, such as Kernel-Bridge by HoShiMin or MemoryRanger by Korkin (they are mentioned in the article).

 

[Trident]

Blacklisting the PH driver was such a lame move from M$.
That ProcExp driver exploit has been around for a while, wonder why it's just now finding use?

It takes time for attackers to discover vulnerabilities in drivers. They normally monitor changelogs and software drivers modification date to suspect where vulnerabilities may be. Then, it takes time to discover them and put them to use.

It takes additional time for the information to be shared/sold on the dark web and purchased. This is the point when driver can be considered vulnerable and blocks can start being implemented.

In an ideal world, the driver and the signature will be invalidated/decommissioned. In the world of Microsoft where security consists of closing a door whilst leaving 5 windows open at the same time, the driver hash will merely be put in the Intelligent Security Graph and will be blocked by WDAC.

 

[lain]

It takes time for attackers to discover vulnerabilities in drivers. They normally monitor changelogs and software drivers modification date to suspect where vulnerabilities may be. Then, it takes time to discover them and put them to use.

It takes additional time for the information to be shared/sold on the dark web and purchased. This is the point when driver can be considered vulnerable and blocks can start being implemented.

In an ideal world, the driver and the signature will be invalidated/decommissioned. In the world of Microsoft where security consists of closing a door whilst leaving 5 windows open at the same time, the driver hash will merely be put in the Intelligent Security Graph and will be blocked by WDAC.

True indeed but this particular driver had a public PoC for a few months.
Also, in a similar vein, wondering why people are still using dbutil which has been sig-ed to hell and back.
I'm responsible for a few of the drivers on the ms blacklist, so I'm aware of the rnd process and these drivers are NOT hard to find or exploit.
I've got two more to be (responsibly) disclosed within the next few weeks that will be nice for ppl to use but there are so, so many better drivers to use for this.

I'm wondering if it's low level-of-effort / ability on the attacker side, which is unlikely given the fact that they're you know ransomware groups.
I guess another factor may be using run of the mill drivers to not disclose capabilities?
Idk, I just find it really interesting how some aspects of the ransomware attack chain are very complex and some are pretty amateur hour.

Edit: I didn't realize I had gotten a CVE for a Lenovo driver until one day I was googling the driver name and found shitloads of forum posts that said code integrity checks failed and bugchecked everyone's machines lmao. Then I checked MS blacklist and it was there so good job Lenovo.

And also props to MS for patching their vuln driver blacklist to actually turn on enforcement lol.

 

[Trident]

@lain impressive work with the drivers.

Tactics and techniques are usually derived through countless hours of research and tests with these gangs and they are normally aimed at evading defences (whatever it involves). You can frequently find cases where part of the attack is of extremely high level (such as inflated loader with a digital signature) and then another part makes you wonder why (such as the same loader dropping an *exe with VT 50/70).

Their attack chains are created by a lot of people, frequently involve copying and pasting with no proper checks and in these cases, this is what you get — disorganisation can occur at any time.

Sometimes security vendors are so focused on solving the complex evasion cases, they completely forget there are not-so-complex attacks (such as a small PowerShell keylogger whose code is not even encoded). Attackers exploit this fact.

 

[lain]

@lain impressive work with the drivers.

Tactics and techniques are usually derived through countless hours of research and tests with these gangs and they are normally aimed at evading defences (whatever it involves). You can frequently find cases where part of the attack is of extremely high level (such as inflated loader with a digital signature) and then another part makes you wonder why (such as the same loader dropping an *exe with VT 50/70).

Their attack chains are created by a lot of people, frequently involve copying and pasting with no proper checks and in these cases, this is what you get — disorganisation can occur at any time.

Sometimes security vendors are so focused on solving the complex evasion cases, they completely forget there are not-so-complex attacks (such as a small PowerShell keylogger whose code is not even encoded). Attackers exploit this fact.

Thank you!
100% agreed, EDR is extremely hit or miss when it comes to detecting either: novel techniques, very old techniques.
Edit: I should add that EDR does a very good job at detecting most run of the mill malware families, OST's, and flavor-of-the-month attacks.

That makes a lot of sense with respect to copy/pasted code.
I need to get more into TI/DFIR or malware analysis.
A lot of that stuff seems so cool, and you clearly have a breadth of knowledge with rw gang toolkits.

 

[Andy Ful]

In an ideal world, the driver and the signature will be invalidated/decommissioned. In the world of Microsoft where security consists of closing a door whilst leaving 5 windows open at the same time, the driver hash will merely be put in the Intelligent Security Graph and will be blocked by WDAC.

That is why there is Microsoft Windows and there is no Microsoft Doors.

 

[Trident]

That is why there is Microsoft Windows and there is no Microsoft Doors.

At Microsoft the Windows have doors on them. Why close doors? Microsoft Defender signatures, ASR rules and machine learning models will do. Almost.

It’s good that there is no Microsoft Doors, they would be notoriously unreliable with tens of bypasses hindering unfixed. You might as well just remove the door and let everybody in. The ease of access may deter a lot of criminals from even entering. This will be a better approach overall.

 

[Andy Ful]

It is probable that if there were no Microsoft Windows (5 windows opened when one door closed) then "Microsoft Doors" would not be possible too. "Microsoft Doors" could work as intended only when much "lower fruit" like Microsoft Windows is a primary target.
Microsoft Windows is a kind of cyclical strategy:

1. make a useful system with implemented average security,
2. observe how it is attacked,
3. add some changes to make the attacks more and more expensive to the attackers (close one door),
4. add some new features (open new windows) and go to point 2.

 

[Trident]

average security

useful system

Although this is diverging from the topic, Microsoft (R) Windows (R) tools and utilities are neither useful, nor secure.
They are tools developed to an extremely low standard, providing the bare minimum of functionality and usability (or jam packed with bloatware, there is no middle ground at Microsoft).
Many of these tools and utilities (or let’s call them experiences) have been an object of tens of thousands of updates, under various Insider heads (Dona Sarkar, Gabriel Aul and many others) and to date have retained the patented Microsoft low standard.

The whole operating system is widely used not because someone wants and adores it (apart from its 5 die-hard fans), it is used due to lack of choice. Some people don’t know there are better options, others can’t afford them, third can’t play games or run business software. Microsoft Windows as well as various other software packages such as Microsoft Defender are every accounting department (specially the cost-control part of it)’s favourite.

Security at Microsoft has remained almost non-existent throughout the years and I am sure attackers use various whitepapers, blog posts and other related reads as a substitute for morning anecdotes.

But in the end, people are free to believe that they have been supplied with a useful OS, reactively monitored for potential security risks.

 

[Andy Ful]

@Trident,
You are right that "Security at Microsoft has remained almost non-existent throughout the years". But, by "useful system with implemented average security" I meant Windows 10+.
If one would like to include earlier versions, then the strategy would look as follows:

1. make a useful system,
2. observe how it is attacked,
3. add some changes to make the attacks more and more expensive to the attackers (close one door),
4. add some new features (open new windows) and go to point 2.

If one starts with "make a useful system" and the cycle ends with "add some new features", then the product will not be a model of safety. Similarly, popular cars cannot be safe in our culture.

 

[Andy Ful]

The whole operating system is widely used not because someone wants and adores it (apart from its 5 die-hard fans), it is used due to lack of choice.

I could not deny it.
But if something is widely used then it is useful (I think). Other assumptions (adoration, lack of choice, etc.) are not necessary.

 

[Andy Ful]

Back to the topic.
The example of Process Explorer shows how much should be done to mitigate attacks via non-system drivers (even on Windows 11). Even if the driver is non-vulnerable it can be dangerous because it is powerful (can be abused).

 

[Trident]

Back to the topic.
The example of Process Explorer shows how much should be done to mitigate attacks via non-system drivers (even on Windows 11).

Additional evidence:

The Evolution of Windows Kernel Threats - Security News

In this report, we examine how these low-level threats have evolved through the years and discuss the three types of low-level threats that affect Windows systems. The categorization of more than 60 of the most noteworthy Windows low-level threats observed in the wild from 2015 to 2022 and where...

www.trendmicro.com

https://documents.trendmicro.com/assets/white_papers/wp-an-in-depth-look-at-windows-kernel-threats.pdf